Flash Vulnerabilities Most Targeted by Exploit Kits in 2015

Adobe’s Flash Player in 2015 was the dominant application in terms of vulnerabilities targeted by exploit kits (EKs), with 13 of the 17 new flaws added to these malicious programs pertaining to the web plugin, Trend Micro reveals.

In order to keep their code potent, EK operators have been long adding exploits for various vulnerabilities to their software. Last year, 17 new flaws were targeted by EKs, including three zero-days that affected users before a patch was available, the security firm says.

With 13 new security bugs added to EKs last year alone, Adobe Flash Player proves once again its importance for cybercriminals. According to Trend Micro threat analysts Brooks Li and Joseph C. Chen, the absence of Flash would make these malicious program far less powerful than they are at the moment.

Angler was the most successful EK last year, and its operators were the first to integrate most of the newly discovered vulnerabilities in it as well. Angler was the first to include exploits for 12 new security flaws in 2015, Magnitude was first in two instances, while Nuclear, HanJuan, and Sundown were the first in one instance each.

Angler adds new exploits on a regular basis, and it was the EK to include most of the new vulnerabilities last year, namely 15 of them, followed by Magnitude and Nuclear with 12 flaws each. Neutrino added 10 new vulnerabilities, Rig added 7, Sundown 3, and Hanjuan only one.

In 2015, the threat actors behind EKs also started using the Diffie-Hellman key exchange algorithm to encrypt the communication between infected systems and their servers, thus making the analysis of generated network traffic more difficult. This also allowed them to avoid detection from network security products, as they were no longer able to scan and detect transferred malicious files.

Cybercriminals used compromised websites and malvertising as their primary methods to direct users to exploit kits, Trend Micro researchers explain. In fact, the security firm has discovered that over 88 percent of the exploit kit attacks in December 2015 were tied to malvertising.

The researchers note that malicious ads are often the result of ad networks failing to insure that all ad buyers are legitimate, meaning that attackers can buy traffic to redirect users to EKs. Last year, malvertisers used either banner/embedded ads or pop-up ads for redirections, creating fake ads and adding scripts to them to perform the redirection in the background, without requiring user interaction.

In December, all of the traffic associated with the Magnitude and Sundown EKs came from malvertising, the same as 89.32 percent of Angler traffic and 85.93 percent of the Rig EK traffic. At 39.8 percent and 33.8 percent, respectively, Neutrino and Nuclear relied mainly on other traffic sources.

Attackers also targeted the content management system (CMS) software used by site owners to take over websites and redirect visitors to malicious sites that contain the exploit kit code. Cybercriminals target sites running well-known CMSes like WordPress, Joomla, and Drupal because many run unpatched and vulnerable versions of these systems or use vulnerable add-ons.

In November last year, attackers managed to take over more than 1,500 websites in one campaign focused on ransomware distribution. They usually added a SWF object to pages on the compromised website to load another Flash file to inject a hidden iframe which would lead to the EK, all without users noticing the compromise.

At the beginning of this year, researchers at Heimdal Security reported a spike in the activity of exploit kits, coupled with a series of mutations made to their code. In November last year, Infoblox revealed that cybercriminals ramped up the creation of Domain Name System (DNS) infrastructure for exploit kits by 75 percent year-on-year during the third quarter of 2015.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.